The short answer
In Kubernetes, to execute a command inside a running Pod’s container, you can use the [.inline-code]kubectl exec[.inline-code] command as follows:
Where:
- [.inline-code]pod[.inline-code] is the name of the pod you want to execute a command into.
- [.inline-code]command[.inline-code] is the command you want to execute.
- [.inline-code]--[.inline-code] the double dash separates the [.inline-code]kubectl[.inline-code] parameters and flags from the command you want to run and its flags/parameters.
For example:
This will execute the [.inline-code]env[.inline-code] command within a Pod named [.inline-code]web-0[.inline-code], resulting in its environment variables being outputted to the terminal window.
[#easily-recall-syntax-with-ai] Easily retrieve this command using Warp’s AI Command Suggestions [#easily-recall-syntax-with-ai]
If you’re using Warp as your terminal, you can easily retrieve this command using the Warp AI Command Suggestions feature:
Pressing the [.inline-code]#[.inline-code] symbol at the start of a line will pull up the AI search and then you can enter [.inline-code]kubernetes execute command[.inline-code] to get the command template. You can quickly insert that command into your shell using [.inline-code]CMD+ENTER[.inline-code].
[#handle-executable-not-find] Handling the “command / executable file not found” error [#handle-executable-not-find]
When trying to execute a command within a Pod, you need to make sure that this command is defined in the PATH environment variable of the container, as it might otherwise result in an “executable not found” error. In that case, you can use the full path to the executable.
For example:
This command will execute the [.inline-code]redis-cli[.inline-code] utility located in the [.inline-code]/opt[.inline-code] directory of the Pod named [.inline-code]web-0[.inline-code].
[#run-interactive-commands] Running interactive commands [#run-interactive-commands]
By default [.inline-code]kubectl exec[.inline-code] will run the specified command without being attached to the standard input, which means that the command will run and immediately exit.
If you need to run a program that requires user input, you can run the [.inline-code]kubectl exec[.inline-code] command using the [.inline-code]-i[.inline-code] and [.inline-code]-t[.inline-code] flags:
Where:
- [.inline-code]-i[.inline-code] connects your terminal to the standard input of the command’s process.
- [.inline-code]-t[.inline-code] wraps the connection in a pseudo-TTY providing an enhanced terminal-like interface.
For example, to launch the NodeJS runtime in a Pod with the [.inline-code]node[.inline-code] command, you can run the following [.inline-code]kubectl[.inline-code] command:
This works exactly like running interactive commands in Docker, which you can learn more about by reading our article on how to run a Bash shell in Docker.
[#start-a-shell-session-in-a-container] Starting an interactive shell session in a Pod's container [#start-a-shell-session-in-a-container]
Often, it’s useful to start an interactive shell session instead of running a one-off command, for situations where you need to perform multiple manual actions or debug a container.
Most of the time you will want to simply run [.inline-code]bash[.inline-code], as it has pretty good odds of being defined in the PATH environment variable and provides a better experience then the [.inline-code]sh[.inline-code] shell.
To start an interactive shell session with Bash, you can use the following command:
[#list-available-shells] Finding the list of available shells [#list-available-shells]
If the [.inline-code]bash[.inline-code] command is not directly available in the PATH of the container, you can try one of the following popular shell paths instead:
- /bin/bash
- /bin/sh
- /bin/zsh
- /bin/ash
If none of these paths work, you may want to perform a search in folders like [.inline-code]/usr/bin[.inline-code], which can be automated using the following command:
This command will search in the [.inline-code]/bin[.inline-code] and [.inline-code]/usr/bin[.inline-code] for anything ending with [.inline-code]sh[.inline-code]. Some of these might not be shells, but most of the shells end with "sh". If you don’t have [.inline-code]find[.inline-code] you can use [.inline-code]ls[.inline-code] to manually go through them (combined with a local [.inline-code]grep[.inline-code]) to get a similar result.
[#run-commands-in-a-specific-container] Executing a command in a Pod with multiple containers [#run-commands-in-a-specific-container]
By default, [.inline-code]kubectl exec[.inline-code] will execute the specified command in the first container listed in the YAML Pod spec file.
To execute a command in a specific container instead, you can use the [.inline-code]-c[.inline-code] flag followed by the container’s name:
For example:
This command will execute the [.inline-code]bash[.inline-code] command within the container named [.inline-code]monitor[.inline-code], that runs within the Pod named [.inline-code]web-0[.inline-code].
Note that to discover the names of the containers running within a Pod, you can either manually inspect the Pod's YAML file or use the [.inline-code]kubectl get pods[.inline-code] command as follows:
[#run-commands-using-kubernetes-resources] Executing a command in a Pod via a connected Kubernetes resource [#run-commands-using-kubernetes-resources]
By default, the [.inline-code]kubectl exec[.inline-code] command assumes that the specified resource a command should be executed on is a Pod.
To execute a command on another resource, such as a Deployment, a Statefulset or a Service, you can use the following syntax:
Where:
- [.inline-code]resource[.inline-code] is the type of the resource (e.g. [.inline-code]deployment[.inline-code], [.inline-code]service[.inline-code]).
- [.inline-code]name[.inline-code] is the name of the resource.
- [.inline-code]command[.inline-code] is the command to execute on the Pod managed by that resource.
For example:
This command will execute the [.inline-code]bash[.inline-code] utility in interactive mode in the first container of the first Pod managed by the [.inline-code]nginx[.inline-code] Deployment.
[#run-commands-using-a-yaml-file] Executing a command in a Pod using a YAML manifest [#run-commands-using-a-yaml-file]
Another way to execute a command in a Pod is to use the YAML manifest the Pod or the Deployment was created from.
To achieve this, you can use the [.inline-code]-f[.inline-code] flag (short for [.inline-code]--filename[.inline-code]) as follows:
Where:
- [.inline-code]file[.inline-code] is the relative or absolute path to the YAML manifest file.
- [.inline-code]command[.inline-code] is the command to execute on the Pod declared in this file.
For example:
This command will read the [.inline-code]deployment.yaml[.inline-code] file and execute the [.inline-code]ls /[.inline-code] command in the first Pod of the replicaset of the Deployment specified in that file.
Note that, if the YAML manifest contains more than one Deployment / Pod, the [.inline-code]kubectl exec[.inline-code] command will fail.
[#handle-limited-user-privileges] Handling limited user privileges [#handle-limited-user-privileges]
When running a command using [.inline-code]kubectl exec[.inline-code], the command will run using the same user that the container is running as. In Kubernetes (and Docker) you can specify any number as the user ID and the container will run as that user, even if no user was ever created with the ID. This is often used as a security feature where Pods will run using one of these non-existing users (typically User ID 1000/1001) providing very little access inside the container.
Sometimes you require higher privileges, and some commands even require root access to run. Unfortunately, you can’t directly execute a command as a separate user, but there are a few things you can do (depending on what’s possible per situation).
[#run-commands-as-root] Running a Pod as root [#run-commands-as-root]
To run a Pod as root, you can add the [.inline-code]runAsUser[.inline-code] option to the [.inline-code]securityContext[.inline-code] field and set it to the user ID of the root user, which is 0.
https://docs.google.com/document/d/1Pd87rIwF_bRGFXITdA5hIWpDZmuN1oRu9imcwn1Pbz4/edit
Applying this will cause the containers within the Pod file to run as root, allowing you to now execute the command as the root user.
Note that you can’t directly edit the security context of a running Pod, so you will either have to edit the deployment if you have one, or edit the Pod file locally and delete then redeploy the changes.
Also note that this option might not work if your security policy in the cluster prevents running Pods as root.